Commit Graph

25 Commits

Author SHA1 Message Date
Zuul 144cdf90be Merge "Add get_ksa_client() helper" 2021-03-02 19:41:57 +00:00
Dan Smith 782ff60cbf Add get_ksa_client() helper
This adds a method in glance.context that will give us a
keystoneauth1 client, authorized with the user's token, suitable for
calling directly to other services.

Related to blueprint distributed-image-import

Change-Id: I71ed8c80939b4cfab6a081c2f8cde63299fc7893
2021-03-01 10:51:29 -08:00
Lance Bragstad e6755ebab9 Pass oslo.context RequestContext objects directly to policy enforcement
The oslo.policy's Enforcer() object will transpose authorization
information from oslo.context RequestContext objects if you pass one
to enforce()[0].

This commit simplifies the enforcement code in glance by letting
oslo.policy handle the translation instead of glance. This allows us to
remove the to_policy_values() method maintained in glance since it's no
longer used.

[0] 775641a5fc

Related: blueprint secure-rbac

Change-Id: Ie7f9a9201361c56e0f0a289ef93443b9e277357c
2021-02-23 22:23:12 +00:00
Cyril Roelandt 7839ab0925 Remove unused option "owner_is_tenant"
This option has been deprecated since Rocky.

Change-Id: I8edc957ad50ec28d80a06e76912f4226cea53562
2021-02-11 16:17:10 +01:00
Dan Smith c59ed1bce8 Add context.elevated() helper for getting admin privileges
This adds an elevated() method to glance.context.RequestContext similar
to what Nova and other projects use. When doing something as admin on
behalf of a user, this results in a whole context, including information
about the user and the request, but with is_admin==True.

Change-Id: I5499946425b1c32476c57241b4b14b601daa841f
2020-07-10 08:59:53 -07:00
Matt Riedemann 88a8ad7823 Fix DeprecationWarnings for RequestContext.tenant/user usage
RequestContext.tenant and user fields are deprecated in favor
of project_id and user_id respectively.

This change modifies the glance.context.RequestContext constructor
to transition usage of tenant/user to project_id/user_id until
all tests are moved over to the new attributes. Runtime usage of
the old fiels is updated.

To prevent new code from using the deprecated fields, a warnings
filter is added which will make tests fail if they hit code using
the old fields.

Co-Authored-By: Abhishek Kekane <akekane@redhat.com>
Change-Id: I351380840308a24769ece93abc6d1a9a6d6aa06f
2019-02-06 09:59:36 -05:00
Sean McGinnis a919fa1ed7 Use new oslo.context arg names
Various RequestContext values have been renamed and the old names
deprecated. This results in a large amount of DeprecationWarning
messages in the logs.

This updates glance.context.RequestContext to use the new names.

Change-Id: Id34637542051cfdc532eebdfbf95edd8a58467da
2017-11-27 10:20:10 -06:00
Jamie Lennox ca501cba92 Use oslo.context features
In an effort to standardize policy and authentication values
oslo.context has new features such as from_environ which constructs a
standard oslo.context object from the environment variables created by
auth_token middleware and to_policy_values which emit a standard
credentials target for writing common policy files across services.

Use these standard functions when dealing with contexts and policy in
glance.

Closes-Bug: #1602081
Change-Id: I40582cb34818b980d6c6914b2c9346a17a0ed489
2016-07-12 13:40:33 +10:00
kairat_kushaev 6163fe1198 Use roles attribute from oslo context
Starting from version 2.2.0 oslo context has out-of-the-box 'roles'
attribute that can store user roles. So Glance doesn't need to implement
custom attribute for roles in Request Context anymore.

Change-Id: I39804ebc5f91ce6ad5bfb9c52b324d4cc8a8b115
2016-04-04 13:35:17 +00:00
Martin Mágr 9a6823326b Add db purge command
This patch adds "db purge" to glance-manage for deleting soft deleted
images, tasks.

Change-Id: I5b609292aa15f8133d0d785fcf9143825bed8073
Implements: blueprint database-purge
2015-12-11 19:16:58 +01:00
Julien Danjou 84955d6353 Simplify context by using oslo.context
This is a first step toward removing Glance specific context object.

Change-Id: I0125811e1afeccb5896c9bcb4447cd7fac58f247
2015-02-02 09:51:52 +01:00
Stuart McLaren cc7ae2abd5 Make RequestContext use auth_token (not auth_tok)
The RequestContext class from oslo-incubator uses 'auth_token'.
Glance's RequestContext uses 'auth_tok' -- which is inconsistent.

glance_store currently uses the oslo 'auth_token'.

We should not assume a 1-1 mapping from the glance_store to glance,
nor should we have glance_store support both 'auth_token' and
'auth_tok'. Therefore Glance should be updated to use 'auth_token'.

This change was generated automatically with:

$ for file in `find glance -name '*\.py' -exec grep -wl auth_tok "{}" \;` ; \
  do sed --in-place 's/\<auth_tok\>/auth_token/g' $file ; done

In addition, the set_auth_token function was removed. This had been used
by Nova to work around the auth_tok <-> auth_token inconsistency, but
was removed in mid-2012 as part of the move to python-glanceclient so
is no longer needed.

In conjuction with other changes this fixes image upload when
using the multi-tenant Swift store.

Change-Id: Ic8a5f44088990fd8f6290a5622b823f59ef365fc
Partial-bug: #1385213
2014-10-28 15:39:21 +00:00
Julien Danjou fadbef8511 hacking: upgrade to 0.9.x serie
Change-Id: I252758fd633662de9659a402c5e3d7e3ce1fae0f
2014-10-06 14:41:03 +02:00
Balazs Gibizer 765b6c98e0 Fix logging context to include user_identity
The user_identity generated created from user, tenant, domain
user_domain and project_domain.
The new domain related values are default to None

Closes-Bug: #1283080

Change-Id: I5e43142afba3492ecf05b65ba24ee70f158f88de
2014-02-21 17:19:31 +01:00
Noboru arai 8de10b0f34 Remove vim header
No need to set tabstop tons of times, this can be set in your vimrc
file instead.

More disucssion:
http://openstack.10931.n7.nabble.com/Remove-vim-modelines-td21780.html

Change-Id: I3b830a5bb831a63c188109e6fad66ba48884fff3
Partial-Bug: #1229324
2014-01-14 16:03:28 +00:00
Arnaud Legendre 11b5487eff Use uuid instead of uuidutils
Each project should directly use the standard uuid module.
uuidutils will be deprecated/removed in this cycle.

This patch replaces every uuidutils.generate_uuid() with
str(uuid.uuid4()) and uuidutils.is_uuid_like()
with utils.is_uuid_like().

Change-Id: I43642d4f1e137c14134b3d544e367b504b9851ac
Closes-Bug: #1253497
2013-12-24 11:43:17 -08:00
Dirk Mueller 518bbf7298 Changed header from LLC to Foundation based on trademark policies
Fixes: Bug 1214176

Change-Id: I4e394c33d810fe7d48066ff7cb6143f7eae25f13
2013-09-10 18:29:53 +02:00
Eoghan Glynn cc938e25f3 Use RBAC policy to determine if context is admin.
Fixes bug 1152716

If the context roles do not match the configured admin_role,
fall back to determining if admin via the "context_is_admin"
RBAC policy rule (for consistency with the approach used by
the other projects).

Note this requires that the "context_is_admin" rule *must*
be set in the policy.json if the out-of-the-box default rule
is used (as this default is so open, the net effect of omitting
the "context_is_admin" rule is for every request to acquire
admin status).

Change-Id: Ide2cf604b48f24bd759ce2d65091ff546cd9d22e
2013-05-02 16:40:24 +01:00
Brian Waldon a336e59b44 Update common openstack code from oslo-incubator
* Update to oslo-incubator commit b17b268a269c4989d76267db5c2d49d4c20bd51d.
* Update usage of 'deferred_version_string' to 'cached_version_string'
* Add context values 'user' and 'tenant' for context-logging
* Remove prefixes that resolve to '%prog' in --version CLI output

Change-Id: I24d9a24ad1a6e9379008ea719c9cbd22899111f9
2013-01-09 11:16:59 -08:00
Alex Meade a26f3613ba Use generate_uuid from openstack common.
Change-Id: Ie1b55df2301b5ca276571117386a0625e039adc2
2012-11-12 15:39:58 -05:00
Zhongyue Luo 305a9c12b5 Clean up pep8 E124 violations
Fixed E124 errors
All other ignores are to be removed in the next sequence of patches

Change-Id: Ic96ebf5dff645dfdc47478beeb6965d6ad266243
2012-09-24 09:32:11 +08:00
Alex Meade 5cf0c9b4eb Store context in local thread store for logging.
This also fixes the logging of request ids for every request.

Fixes bug 1031596

Change-Id: Ifd0217c99402316214efaf1fe8533c60c2277257
2012-08-01 12:05:49 -04:00
Dan Prince 444ad454b7 Adds service_catalog to the context.
Updates the ContextMiddleware so that it stores the service_catalog
which from set via Keystone's auth_token middleware.

The motivation for this change is that we'll need access to the
'object-store' endpoint in order to implement swift tenant specific
storage.

Partially implements blueprint: swift-tenant-specific-storage

Change-Id: I0389e135f6683a353ae915b543d70f6ac1246b2c
2012-07-12 14:55:43 -04:00
Brian Waldon 06f7fe92a6 Generate request id and return in header to client
* Generate a uuid in RequestContext.request_id on init
* Present request_id in an 'x-openstack-request-id' header using
  process_response in the ContextMiddlewares
* Related to bp glance-request-tracking

Change-Id: Idd9b86661322250b6167a1ee23e5baae91066ff6
2012-07-10 08:42:11 -07:00
Brian Waldon ce899351da Reorganize context module
* Move RequestContext class to glance.context
* Move context middlewares to glance.api.middleware
* Update tests to reflect move
* Update paste configs

Related to bp glance-request-tracking

Change-Id: I289b546ec28c973a3022be779ce378ae2febb340
2012-07-10 08:31:50 -07:00